Have you ever visited a website that formerly required only a password but now has another layer of protection? Because of the prevalence of data breaches and identity theft threats, some sites are stepping up security to safeguard you and your information from the bad guys. The change is called two-step verification.
Although it sounds technical, two-step verification — also called two-factor authentication, or 2FA — is very simple. Instead of the usual log-in involving input of a username and password, a 2FA system requires at least one extra step, such as entering a cellphone number, identifying a jumbled pattern of letters or providing a fingerprint or voiceprint.
Two-step verification has been around since the dawn of online retailing, although it’s often in the background. For example, when you input a zip code at the same time as a credit card number, that’s 2FA in action.
This additional step may feel like a hassle when you’re trying to speed through some account management or an online purchase, but it’s worth the effort. Two-step verification creates an extra layer of security that forces identity thieves to do more than just crack a password.
While two-factor authentication isn’t impervious to bad actors, it certainly makes hacking harder. To hack two-step verification, an attacker must gain access to more user information, which gives you a higher level of identity theft protection.
In many cases, use of 2FA isn’t left up to the user. However, there are ways you can incorporate this additional security layer into your identity theft protection mix. For example …
Use two-step verification sites more often: Check out this frequently updated list to find out which sites and services have put two-step verification in place. That way, if you’re trying to decide between two providers — for example, payment services like PayPal and Dwolla — you’ll know which site has 2FA security.
Keep personal info updated: Some sites, such as Facebook, Apple and Gmail, give you the option of enabling two-factor authentication by adding your cellphone number to existing account profile information. So, if you try to log in from a different machine or you simply want a higher level of security, the site will text a temporary log-in code to your phone. If you get an unsolicited text, you’ll know that someone else is trying to crack your account.
Check security settings: Sites that let you enable or disable two-step verification will usually offer the option in the security or profile settings area of your account information. For example, Facebook security settings allow you to get an alert when anyone logs in from a new device or browser; you can also choose to set up 2FA as one more layer of protection.
Two-Step Verification is Not a Panacea
It’s critical to remember that 2FA security is only as strong as its weakest link. For example, companies can offer users a way to verify logins using a mobile app or SMS code, however, if the phone is lost, so is the physical control of that method of authentication.
However, most services don’t require users to use a passcode for every login – especially over known machines and networks – if someone gets physical access to the machine, then personal and even company information can be compromised.
So, if your business and employees rely on consumer-facing web products, requiring users to turn on two-factor authentication is highly recommended. For example, services like LinkedIn, Shopify, Google, and others all offer the added security to users.
In addition to the tips shared above, which can be applied to your employees, using password management apps, like LastPass or 1Password, can also help secure passwords. Establishing standards that all employees must use different and distinct passwords for any applications they use will help with phishing. And, share posts like this one with your employees to help raise awareness – because even the most seemingly-savvy employees can get hacked.
Image courtesy of Flickr user Angel Arcones.